On Tue, Mar 07, 2017 at 07:09:30PM +0100, Emmanuel Hocdet wrote:
> Use case is to send the fingerprint on backend and associate it with the user
> agent or anything else to analyse the security level of the connection ,
> detect man
> in the middle, ... And yes the need is to avoid false positif!
>
> Fingerprint of the cipher-list only is not enough. Perhaps in another capture
> sample
> 'fingerprintTLS'.
>
> You ca also have sha256 in capture and generate a int for haproxy counters
> usage.
Then you just need to add a sha256 converter and apply it to the binary
block. It's pointless to waste so much memory for a very specific use case
that can be implemented with the way samples already work. But if you're
going to take something that large, it might even be preferable to keep
the binary block as-is.
> >> For the code:
> >> ssl->msg_callback_arg is considering as ssl internal. It should be a very
> >> good
> >> think to avoid internal structures/undocumented call usage to try to
> >> control the
> >> beast or limit painful compatibilities.
> >> In this case SSL_set_ex_data and SSL_get_ex_data will do the job.
> >
> > Ah yes definitely, thanks for reporting this. I guess that openssl 1.1 will
> > complain with a warning because of this.
> >
> >> I will try to fix the patch, it breaks my compile environment.
> >
>
> and the patch:
Thanks. Hmmm comments below :
@@ -4541,13 +4522,8 @@ static int ssl_sock_from_buf(struct connection *conn,
struct buffer *buf, int fl
}
static void ssl_sock_close(struct connection *conn) {
- struct ssl_capture *capture;
if (conn->xprt_ctx) {
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
- capture = SSL_get_msg_callback_arg(conn->xprt_ctx);
- pool_free2(pool2_ssl_capture, capture);
-#endif
This strongly looks like a memory leak to me, it looks like instead
you want this :
capture = SSL_get_ex_data(conn->xprt_ctx,
ssl_capture_ptr_index);
pool_free2(pool2_ssl_capture, capture);
Willy
